WAF Blocking JQL Queries as SQL INJECTION

Nikhil November 19, 2018
We have spoke to our WAF vendor and they came with the following issues. were WAF is blocking the traffic as it assumes JQL as SQL. Is there any way we could do the changes in APPLICATION LEVEL. For Eg:- Users "A" when accessing externally filtering an issue using JQL filter. JIRA is unable to load the issues. When checked WAF logs method say PUT and Attack say SQL INJECTION. Is there any way we can over come this issue. Thankyou

3 answers

2 votes
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2018

Hi @Nikhil !

I think you could approach this issue from 2 sides:

1. Whitelist known IP addresses (for example your HQ's or branches');

2. Tune WAF so that it accepts frequent JQL expressions, especially those used in public filters.

Seth November 19, 2018

I'm not sure what WAF is being used, but we used an AWS WAF that would flag a request as SQL injection just for having " and " or " or " in the string. There is a lot of syntax in common between JQL and SQL, so whitelisting the known IP addresses or specific pages that accept JQL is going to be your best bet.

To be fair, the AWS WAF rules didn't allow for much tuning (that I'm aware of), but your WAF may.

Like # people like this
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2018

False-positives are an essential part of every WAF, so you're to spend some time fine-tuning it. WAFs are not to be considered as some kind of safety-switch :)

Like # people like this
Nikhil November 21, 2018

@Seth whitelisting web pages is not a good option as it my be same as just disableing SQL Injection. Thank you

Seth November 21, 2018

Yeah, it does disable WAF SQL injection protection on those pages. In our app, we've just taken extra care to make sure those pages aren't vulnerable to SQL injection. The WAF should be a first-line of defense, not the only defense.

The point of the WAF SQL injection filter is to block requests that look like they contain SQL when they shouldn't. Since JQL is so similar to SQL in syntax, any request that is expected to contain JQL will need to bypass the WAF.

Not quite this extreme, but it would be like putting a SQL-injection WAF in front of phpmyadmin, then complaining that I can't submit any queries.

0 votes
Nikhil November 21, 2018

Yeah true we are using fortinet. And I was just checking other way how can we make this application secure. Thank you

0 votes
Nikhil November 21, 2018

@Seth I am sorry I didn't get you. Can you explain wether this can be done or not in WAF. By the way is there a way we can set WAF to accept JQL but still not accept WAF. I guess I am asking which is not possible. Anyways thank you guys.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 21, 2018

The problem here is your WAF settings, and you're asking people who know Atlassian stuff, not WAF (and you've not even said what WAF). 

You need to configure the WAF to allow this through, there's nothing that can be done on the application side, as it's not doing anything wrong.

It certainly is possible, if you're using the right sort of WAF.  The response from your vendor (try to blame someone else) suggests that it doesn't support doing it properly, so you're probably stuck.

Like Seth likes this

Suggest an answer

Log in or Sign up to answer